Authenticating Secure Tokens Using Slow Memory Access
|
|
- Doreen Janis Cannon
- 8 years ago
- Views:
Transcription
1 THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Authenticating Secure Tokens Using Slow Memory Access John Kelsey and Bruce Schneier Counterpane Systems 1999 by The USENIX Association All Rights Reserved Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. For more information about the USENIX Association: Phone: FAX: office@usenix.org WWW:
2 Authenticating Secure Tokens Using Slow Memory Access John Kelsey Bruce Schneier Counterpane Systems, 101 East Minnehaha Parkway, Minneapolis, MN Abstract We present anauthentication protocol that allows a token, such as a smart card, to authenticate itself to a back-end trusted computer system through an untrusted reader. This protocol relies on the fact that the token will only respond to queries slowly, and that the token owner will not sit patiently while the reader seems nottobeworking. This protocol can be used alone, with \dumb" memory tokens or with processor-based tokens. 1 Introduction Smart cards have been used in many applications that require that the data be secured from the cardholder. In the Modex stored-value smart card system, for example, the smart card stores a particular monetary value. An attacker who can successfully change the value stored in the card can essentially print money. 1 In GSM phones, smart cards provide identity information used to prevent cloning and in billing. An attacker who can modify that information can charge cellular phone calls to another account [?]. Smart cards used to protect satellite television can be attacked to obtain free services [McC96]. These cards are vulnerable to a large class of attacks [And94, Sch97, Row97, Sch98], from reverseengineering [AK96] and protocol failures [AN95] to side-channel attacks [Koc96, Koc98, KSWH98, DKL+99] and fault analysis [BDL97, BS97]. In all of these attacks, the attacker can defeat the security of the card by breaching its secure perimeter and learning the condential information stored within. With reverse-engineering, the attacker defeats the tamperreisistance measures directly; with side-channel and fault-analysis attacks, the attacker exploits weaknesses in the physical security to learn information within the secure perimeter. 1 For other examples, see [CP93], [SK97], and [RKM99]. There is another class of applications for smart cards applications in which thevalue of a successful attackismuch smaller. These cards might provide micropayment information, low-security access control, or act as payment vehicles in circumstances with low marginal cost of goods (pay television, public transportation, etc). In these applications we are less concerned with individual fraud, and more concerned with an organized attack tocreate and distribute fake cards. Someone who sneaks onto the subway orwatches a satellite movie without paying isn't going to aect the service provider's bottom line, but someone who is able to counterfeit access tokens that allow everyone to sneak onto the subway or watch the movie could collapse the entire system. Hence, the primary threat is not from an isolated attack against a single card, but an attack that can bescaledtomultiple cards. The threat is from untrusted card readers that the user may stick his card into. In this paper, we propose a low-tech authentication protocol that is useful in this sort of situation. Our protocol makes use of what we will call a \slow memory device": adevice that responds to queries by revealing the contents of dierent memory locations, but one that necessarily takes several seconds to do so. The protocol relies on the fact that the cardholder does not have innite patience. If he puts his smart card into a reader and nothing happens for several seconds, he will likely pull the card out and try again. If nothing happens again, he will nd another reader. The slow response of the card ensures that a fraudulent reader can only do so much damage before the cardholder removes his card. This protocol makes no cryptographic assumptions, and is independent of any cryptography that may or may not be in the system. It can be implemented by itself, or in conjunction with cryptographic controls. The rest of the paper is organized as follows. In Section 2 we describe the slow memory device and its functionality. In Section 3, we describe our authentication protocol. In Section 4 we discuss variants
3 and extensions to this basic protocol, and in Section 5 we discuss applications. 2 The Slow Memory Device This protocol assumes the existence of a slow memory token. By this we mean a token a smart card, a Dallas Semiconductor ibutton, etc. that acts as a memory device, but never responds to a request in less than t seconds (t = 10, for the purposes of this example). It is impossible for a terminal to get more information during that time; the token's electronics are such that it simply cannot respond to requests faster. This memory token has m memory locations, each w bits wide (w = 64 for the purposes of this example). The token does not need a processor, nor does it need to implement any cryptographic primitives in order to execute this protocol. 3 The Basic Protocol There are three parties in this protocol: The Token: The slow memory device. The Terminal: The untrusted card reader. The Trusted Machine: A trusted computer connected to, and possibly remote from, the Terminal. Our authentication protocol is simple. A user inserts his Token into a Terminal. The Terminal now needs to prove to a Trusted Machine that the Token is currently inserted into the Terminal. The Terminal is only marginally trusted, and could be malicious. In order to complete the protocol correctly the Terminal must be connected, via a secure data link, to a Trusted Device. The Trusted Device keeps an exact copy of the contents of the Token; this is a shared secret that the Terminal does not know. Our protocol is as follows: (1) The holder of the Token inserts it into the Terminal. (2) Terminal reads the header information from the Token. (3) Terminal sends this information over an encrypted link to the Trusted Device. (4) Trusted Device generates a random challenge and sends it back over the encrypted link to the Terminal. This challenge consists of a list of n memory locations on the Token. (5) Terminal reads the n memory locations from the Token, XORs them all together, and sends the result back over the encrypted link to the Trusted Device. (6) The Trusted Device veries this information; if it checks out, it believes that the Token is currently inserted into the Terminal. Note that there are no cryptographic primitives in the protocol: the only mathematical operation involved is XOR. There are no encryption functions, one-way hash functions, or message authentication codes used in the protocol. The Token might have bit memory locations. Each time read request comes in, it takes ten seconds to respond, and without reverse-engineering the device and tampering with its internals, this can't be made any faster. Assuming ten seconds per communications exchange, and setting n = 1, steps (2) and (3) take ten seconds, step (4) takes another ten seconds, and step (5) takes another ten seconds. This gives us a total of 30 seconds per transaction. Now, this can be extended a little bit without the user knowing. A malicious Terminal might ignore the protocol completely, and simply query the Token (repeat step (5)). Maybe the Terminal can perform six queries instead of one, doubling the transaction time, before the Token owner removes his card. To provide adequate security, weneedtoaccountfor possible malicious behavior by the Terminal in how many transactions are allowed, keeping the probability of success acceptably low even if most Terminals are corrupt. 3.1 Reasonable Values for n Suppose the Token has m memory locations, that each instance of the protocol requests the XOR of n random locations, and that n << m. Assuming an attacker eavesdrops on each authentication, he will learn the contents of n memory locations, not all of them dierent, after each transaction. The average number of authentications that the Token can accomplish before the attacker has a better than
4 0.5 chance of impersonating the Token (that is, being able to respond correctly to a random query), is: log(n)=(log(m), log(m, n)) For example, for m = 1000 and n =5,an attacker who eavesdrops on 322 authentications has a better than 0.5 probability of being able to impersonate the Token by answering a random challenge correctly. This, of course, is not the most eective attack. A fraudulent Terminal will specically query the Token to learn the memory locations that it does not know. Hence, a malicious Terminal can learn the entire contents of a Token in m=n queries. So for the parameters above, a malicious terminal that conducts 100 fraudulant transactions will have a better than 0.5 probability of being able to impersonate the Token. The Token owner, though, would have to be convinced to allow the Token to be used in 100 ineectual transactions. 4 Extensions 4.1 A Button on the Token Ideally, we'd have some user-interface mechanism on the Token, likeapushbutton. The Token is willing to perform only once per button-push. Alternatively, the Token buzzes or lights up once per memory query answered. This would make multiple queries much harder for the Terminal to make, since the Token owner could detect that the protocol was not proceeding as specied. 4.2 Reducing Storage Requirements in the Trusted Device As written, the Trusted Device must store a complete copy of the Token's memory location. If this is too much memory, the Trusted Device could store the Token's ID information and a secret key known only to it (and not the token). The Token's memeory locations would then be the memory address encrypted with this secret key, and would have to be loaded onto the Token by the Trusted Device. 4.3 CRC Hardware on the Token If the Token can aord CRC hardware, then queries can be handled using this alternate protocol: (1) The holder of the Token inserts it into the Terminal. (2) Terminal reads the header information from the Token. (3) Terminal sends this information over an encrypted link to the Trusted Device. (4) Trusted Device generates a random challenge and sends it back over the encrypted link to the Terminal. This challenge consists of a list of n memory locations on the Token. (5a) The Terminal sends the Token a request for the n memory locations. (5b) The Token goes through the motions (and delay) of sending it out internally, but only outputs the 32-bit CRC ofthen requested memory locations. (6) The Trusted Device veries this information; if it checks out, it believes that the Token is currently inserted into the Terminal. Each memory location can now be 32 bits long, and even one unknown memory location in the query string prevents an attacker from succeeding in an impersonation attack. Note that this system works best if there are lots of Terminals under dierent entities' control. If a Token only interacts with one Terminal every time it executes the protocol, then this system doesn't work very well. 4.4 Incrementing Values in the Token and Trusted Device If we're worried about an attacker reverseengineering and making lots of copies of the Token, then we have each query of memory location cause that memory location to increment by one, modulo 2 32, or rotate left one bit, or whatever else is cheap enough to be implemented. Note that this update must occur on both the Token and the Trusted Device, and assumes that there is either only one Trusted Device or that the dierent Trusted Devices can communicate with each other securely to synchromize these updates. This variant does not help against impersonation attacks. What it does do is to makecontinued synchronization of those counterfeit Tokens very expensive and complex. Now, if any memory location in the challenge string has been changed, the duplicated Token fails to give the correct answer.
5 4.5 Reducing the Amount of Trust in the Trusted Device A given Trusted Device may be only partially trusted. Instead of having it store a complete listing of the Token's memory locations, it can be given a series of precomputed challenges in order and the right responses to be expected. (If we use the previous extension, this will work only for small numbers of dierent Trusted Devices.) 5 Security Analysis The slow memory protocol is designed to frustrate a particular kind of attack. It is intended to provide security against an insecure reader trying to collect enough information from a token to be able to impersonate it. It does not provide security against someone reverse-engineering the token and cloning it (although the extension described in Section 4.2 considerably frustrates that attack in most circumstances), nor does it provide security in the event that the back-end database (the Trusted Device in the protocol) is compromised. A more extensive security analysis will be in the nal paper. 6 Applications A complete discussion of applications, along with their security ramications, will be in the nal paper. The most obvious applications are things like nonduplicable keys for locks and alarms, free passes or one-day (or k-day) coins, and login keys. In these applications, we are less concerned with a single person hacking the authentication device than the same single person being able to distribute a large number of them. One of the most benecial aspects of this protocol is that it works well with cryptography, even though it has no cryptography itself. We can use a message authentication code such as HMAC [BCK96] in addition to this protocol, and if the MAC breaks, the memory trick still works. Or course, all Trusted Devices must be trusted with copies of the memory maps. 7 Conclusions Security countermeasures must be commensurate with the actual threats. In this paper we have presented a low-tech security solution that helps mitigate a specic threat, and can be used in conjunction with other cryptographic countermeasures. 8 Acknowledgments The authors would like to thank Chris Hall for his helpful comments. Additionally, the authors would like Niels Ferguson, who broke the MAC and subsequently inspired this research. References [And94] R. Anderson, \Why Cryptosystems Fail," Communications of the ACM, v. 37, n. 11, Nov 1994, pp. 32{40. [AK96] [AN95] [BCK96] R. Anderson and M. Kuhn, \Tamper Resistance { A Cautionary Note," Second USENIX Workshop on Electronic Commerce Proceedings, USENIX Press, 1996, pp. 1{11. R. Anderson and R. Needham, \Programming Satan's Computer," Computer Science Today: Recent Trends and Developments, LNCS #1000, Springer- Verlag, 1995, pp. 426{440. M. Bellare, R. Canetti, and H. Karwczyk, \Keying Hash Functions for Message Authentication," Advances in Cryptology CRYPTO '96 Proceedings, Springer-Verlag, 1996, pp. 1{15. [BDL97] D. Boneh, R.A. Demillo, R.J. Lipton, \On the Importance of Checking Cryptographic Protocols for Faults," Advances in Cryptology EUROCRYPT '97 Proceedings, Springer-Verlag, 1997, pp. 37{51. [BS97] [?, BGW98] M. Briceno, I. Goldberg, D. Wagner, \Attacks on GSM security," work in progress. E. Biham and A. Shamir, \Dierential Fault Analysis of Secret Key Cryptosystems," Advances in Cryptology
6 [CP93] CRYPTO '97 Proceedings, Springer- Verlag, 1997, pp. 513{525. D. Chaum and T. Pederson, \Wallet Databases with Observers," Advances in Cryptology CRYPTO '92 Proceedings, Springer-Verlag, 1993, pp. 391{407. [DKL+99] J.-F. Dhem, F. Koeune, P.-A. Leroux, P. Mestre, J.-J. Quisquater, and J.-L. Willerns, \A Practical Implementation of the Timing Attack," CARDIS '98 Proceedings, Spriger-Verlag, 1999, to appear. [Koc96] P. Kocher, \Timing Attacks on Implementations of Die-Hellman, RSA, DSS, and Other Systems," Advances in Cryptology CRYPTO '96 Proceedings, Springer-Verlag, 1996, pp. 104{113. [Koc98] P. Kocher, \Dierential Power Analysis," available online from [KSWH98] J. Kelsey, B. Schneier, D. Wagner, and C. Hall, \Side Channel Cryptanalysis of Product Ciphers," ESORICS '98 Proceedings, Springer-Verlag, 1998, pp. pp 97{110. [McC96] J. McCormac, European Scrambling Systems, Waterford University Press, [RKM99] C. Radu, F. Klopfert, and J. De Meester, \Interoperable and Untraceable Debit-Tokens for Electronic Fee Collection," CARDIS '98 Proceedings, Springer-Verlag, 1999, to appear. [Row97] T. Rowley, \How to Break a Smart Card," The 1997 RSA Data Security Conference Proceedings, RSA Data Security, Inc., [Sch97] B. Schneier, \Why Cryptography is Harder than it Looks," Information Security Bulletin, v. 2, n. 2, March 1997, pp. 31{36. [Sch98] B. Schneier, \Cryptographic Design Vulnerabilities," IEEE Computer, v. 31, n. 9, September 1998, pp. 29{33. [SK97] B. Schneier and J. Kelsey, \Remote Auditing of Software Outputs Using a Trusted Coprocessor," Journal of Future Generation Computer Systems, v.13, n.1, 1997, pp. 9{18.
Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers
Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart OV-Chipkaart Security Issues Tutorial for Non-Expert Readers The current debate concerning the OV-Chipkaart security was
More informationRemotely Keyed Encryption Using Non-Encrypting Smart Cards
THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption
More informationSecuring Network Audit Logs on Untrusted Machines. Bruce Schneier. schneier@counterpane.com
Securing Network Audit Logs on Untrusted Machines Bruce Schneier schneier@counterpane.com Counterpane Systems 101 East Minnehaha Parkway, Minneapolis, MN 55419 (612) 823-1098 Fax: (612) 823-1590 RAID Louvain-la-Neuve
More informationThe Misuse of RC4 in Microsoft Word and Excel
The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationStrengthen RFID Tags Security Using New Data Structure
International Journal of Control and Automation 51 Strengthen RFID Tags Security Using New Data Structure Yan Liang and Chunming Rong Department of Electrical Engineering and Computer Science, University
More informationSecurity protocols for biometrics-based cardholder authentication in smartcards
Security protocols for biometrics-based cardholder authentication in smartcards Luciano Rila and Chris J. Mitchell Information Security Group Royal Holloway, University of London Surrey, TW20 0EX, UK luciano.rila@rhul.ac.uk
More informationTHREAT MODELLING FOR SECURITY TOKENS IN WEB APPLICATIONS
THREAT MODELLING FOR SECURITY TOKENS IN WEB APPLICATIONS Danny De Cock, Karel Wouters, Dries Schellekens, Dave Singelee and Bart Preneel COSIC Research Group, Dept. Electrical Engineering-ESAT, Katholieke
More informationThe Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems
The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems
More informationA Study on Smart Card Security Evaluation Criteria for Side Channel Attacks
A Study on Smart Card Security Evaluation Criteria for Side Channel Attacks HoonJae Lee 1, ManKi Ahn 2, SeonGan Lim 3, and SangJae Moon 4 1 Dongseo University, Busan, 617-716, Korea hjlee@dongseo.ac.kr
More informationSide Channel Analysis and Embedded Systems Impact and Countermeasures
Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks Cryptographic devices Side
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC
More informationSECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER
SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER Mrs. P.Venkateswari Assistant Professor / CSE Erode Sengunthar Engineering College, Thudupathi ABSTRACT Nowadays Communication
More informationPart I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code
More informationWhite Paper. The Security Advantages of Hardware Tokens over Software Tokens for PKI Applications
White Paper The Security Advantages of Hardware Tokens over Software Tokens for PKI Applications A l a d d i n. c o m / e T o k e n Table of Contents Abstract...3 Background...4 Soft Tokens and Their Vulnerabilities...5
More informationSECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES
www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,
More informationProblems of Security in Ad Hoc Sensor Network
Problems of Security in Ad Hoc Sensor Network Petr Hanáček * hanacek@fit.vutbr.cz Abstract: The paper deals with a problem of secure communication between autonomous agents that form an ad hoc sensor wireless
More informationLecture 9 - Message Authentication Codes
Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationDifferential Fault Analysis of Secret Key Cryptosystems
Differential Fault Analysis of Secret Key Cryptosystems Eli Biham Computer Science Department Technion - Israel Institute of Technology Haifa 32000, Israel bihamocs.technion.ac.il http://www.cs.technion.ac.il/-
More informationAutomatic Event-Stream Notarization Using Digital Signatures
Automatic Event-Stream Notarization Using Digital Signatures Bruce Schneier John Kelsey Counterpane Systems, 101 East Minnehaha Parkway, Minneapolis, MN 55419 {schneier,kelsey}@counterpane.com Abstract.
More informationDesigning a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology
Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology FREDRIK ANDERSSON Department of Computer Science and Engineering CHALMERS UNIVERSITY
More informationSecure Audit Logs to Support Computer Forensics Bruce Schneier John Kelsey fschneier,kelseyg@counterpane.com Counterpane Systems, 101 East Minnehaha Parkway, Minneapolis, MN 55419 Abstract In many real-world
More informationKey Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards
White Paper Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards By Dr. Wen-Ping Ying, Director of Software Development, February 2002 Introduction Wireless LAN networking allows the
More informationPUF Physical Unclonable Functions
Physical Unclonable Functions Protecting next-generation Smart Card ICs with SRAM-based s The use of Smart Card ICs has become more widespread, having expanded from historical banking and telecommunication
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationApplication of Automatic Variable Password Technique in Das s Remote System Authentication Scheme Using Smart Card
Application of Automatic Variable Password Technique in Das s Remote System Authentication Scheme Using Smart Card C. Koner, Member, IACSIT, C. T. Bhunia, Sr. Member, IEEE and U. Maulik, Sr. Member, IEEE
More informationEnhancing Advanced Encryption Standard S-Box Generation Based on Round Key
Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key Julia Juremi Ramlan Mahmod Salasiah Sulaiman Jazrin Ramli Faculty of Computer Science and Information Technology, Universiti Putra
More informationOutline. IT Security: General Trends and Research Directions. Technical Attacks. Typical attack. Automated attacks via Worms, Trojans, & Viruses
Outline IT Security: General Trends and Research Directions Sherif El-Kassas Department of Computer Science The American University in Cairo Practical considerations Academic and research perspective National
More informationWhite Paper: Multi-Factor Authentication Platform
White Paper: Multi-Factor Authentication Platform Version: 1.4 Updated: 29/10/13 Contents: About zero knowledge proof authentication protocols: 3 About Pairing-Based Cryptography (PBC) 4 Putting it all
More informationTwo Factor Zero Knowledge Proof Authentication System
Two Factor Zero Knowledge Proof Authentication System Quan Nguyen Mikhail Rudoy Arjun Srinivasan 6.857 Spring 2014 Project Abstract It is often necessary to log onto a website or other system from an untrusted
More informationAuthentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques
Computer Security process of reliably verifying identity verification techniques what you know (eg., passwords, crypto key) what you have (eg., keycards, embedded crypto) what you are (eg., biometric information)
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 1 September 2, 2015 CPSC 467, Lecture 1 1/13 Protecting Information Information security Security principles Crypto as a security
More informationPublic Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography
Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt
More informationAdvanced Authentication
White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is
More information6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure
More informationCryptography: Authentication, Blind Signatures, and Digital Cash
Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,
More informationAll You Can Eat. Breaking a Real-World Contactless Payment System
All You Can Eat or Breaking a Real-World Contactless Payment System Timo Kasper, Michael Silbermann, and Christof Paar Horst Görtz Institute for IT Security, Ruhr-University Bochum, Germany {Timo.Kasper,
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 02 Overview on Modern Cryptography
More informationMANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS
INTERNATIONAL JOURNAL OF ADVANCED RESEARCH IN ENGINEERING AND SCIENCE MANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS Kanchupati Kondaiah 1, B.Sudhakar 2 1 M.Tech Student, Dept of CSE,
More informationAuthentication Types. Password-based Authentication. Off-Line Password Guessing
Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationA low-cost Alternative for OAEP
A low-cost Alternative for OAEP Peter Schartner University of Klagenfurt Computer Science System Security peter.schartner@aau.at Technical Report TR-syssec-11-02 Abstract When encryption messages by use
More information2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries
Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application
More informationHardware Security Modules for Protecting Embedded Systems
Hardware Security Modules for Protecting Embedded Systems Marko Wolf, ESCRYPT GmbH Embedded Security, Munich, Germany André Weimerskirch, ESCRYPT Inc. Embedded Security, Ann Arbor, USA 1 Introduction &
More informationAuthentication and Security in Mobile Phones
Authentication and Security in Mobile Phones Greg Rose QUALCOMM Australia ggr@qualcomm.com ABSTRACT Mobile telephone systems have a checkered reputation regarding security and authentication features after
More informationA Framework for Secure and Verifiable Logging in Public Communication Networks
A Framework for Secure and Verifiable Logging in Public Communication Networks Vassilios Stathopoulos, Panayiotis Kotzanikolaou and Emmanouil Magkos {v.stathopoulos, p.kotzanikolaou}@adae.gr emagos@ionio.gr
More informationSECURITY FLOWS AND IMPROVEMENT OF A RECENT ULTRA LIGHT-WEIGHT RFID PROTOCOL
SECURITY FLOWS AND IMPROVEMENT OF A RECENT ULTRA LIGHT-WEIGHT RFID PROTOCOL Mehrdad Kianersi and Mahmoud Gardeshi 1 Department of Information Technology and Communication, I.H.University, Tehran, Iran
More informationNetwork Security (2) CPSC 441 Department of Computer Science University of Calgary
Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate
More informationCRYPTANALYSIS OF A MORE EFFICIENT AND SECURE DYNAMIC ID-BASED REMOTE USER AUTHENTICATION SCHEME
CRYPTANALYSIS OF A MORE EFFICIENT AND SECURE DYNAMIC ID-BASED REMOTE USER AUTHENTICATION SCHEME Mohammed Aijaz Ahmed 1, D. Rajya Lakshmi 2 and Sayed Abdul Sattar 3 1 Department of Computer Science and
More informationAn Authentication and Security Protocol for Mobile Computing Yuliang Zheng Monash University McMahons Road, Frankston, Melbourne, VIC 3199, Australia Phone: +61 3 9904 4196, Fax: +61 3 9904 4124 Email:
More informationSecurity in Electronic Payment Systems
Security in Electronic Payment Systems Jan L. Camenisch, Jean-Marc Piveteau, Markus A. Stadler Institute for Theoretical Computer Science, ETH Zurich, CH-8092 Zurich e-mail: {camenisch, stadler}@inf.ethz.ch
More informationNetwork Security. HIT Shimrit Tzur-David
Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key
More informationHASH CODE BASED SECURITY IN CLOUD COMPUTING
ABSTRACT HASH CODE BASED SECURITY IN CLOUD COMPUTING Kaleem Ur Rehman M.Tech student (CSE), College of Engineering, TMU Moradabad (India) The Hash functions describe as a phenomenon of information security
More informationLecture 9: Application of Cryptography
Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that
More informationSingle Sign-On Secure Authentication Password Mechanism
Single Sign-On Secure Authentication Password Mechanism Deepali M. Devkate, N.D.Kale ME Student, Department of CE, PVPIT, Bavdhan, SavitribaiPhule University Pune, Maharashtra,India. Assistant Professor,
More informationFinal Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket
IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationCSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity
CSC 474 -- Network Security Topic 6.2 User Authentication CSC 474 Dr. Peng Ning 1 User Authentication Basics CSC 474 Dr. Peng Ning 2 Authentication and Identity What is identity? which characteristics
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is
More informationToday. Important From Last Time. Old Joke. Computer Security. Embedded Security. Trusted Computing Base
Important From Last Time A system is safety critical when its failure may result in injuries or deaths Verification and validation can dominate overall development effort Today Embedded system security
More informationTELECOMMUNICATION NETWORKS
THE USE OF INFORMATION TECHNOLOGY STANDARDS TO SECURE TELECOMMUNICATION NETWORKS John Snare * Manager Telematic and Security Systems Section Telecom Australia Research Laboratories Victoria TELECOMMUNICATIONS
More informationAuthentication Protocols Using Hoover-Kausik s Software Token *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 22, 691-699 (2006) Short Paper Authentication Protocols Using Hoover-Kausik s Software Token * WEI-CHI KU AND HUI-LUNG LEE + Department of Computer Science
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationA Survey on Untransferable Anonymous Credentials
A Survey on Untransferable Anonymous Credentials extended abstract Sebastian Pape Databases and Interactive Systems Research Group, University of Kassel Abstract. There are at least two principal approaches
More informationA PERFORMANCE EVALUATION OF COMMON ENCRYPTION TECHNIQUES WITH SECURE WATERMARK SYSTEM (SWS)
A PERFORMANCE EVALUATION OF COMMON ENCRYPTION TECHNIQUES WITH SECURE WATERMARK SYSTEM (SWS) Ashraf Odeh 1, Shadi R.Masadeh 2, Ahmad Azzazi 3 1 Computer Information Systems Department, Isra University,
More informationSecureCom Mobile s mission is to help people keep their private communication private.
About SecureCom Mobile SecureCom Mobile s mission is to help people keep their private communication private. We believe people have a right to share ideas with each other, confident that only the intended
More information1 Data Encryption Algorithm
Date: Monday, September 23, 2002 Prof.: Dr Jean-Yves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been
More informationThe introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.
1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood
More informationSD12 REPLACES: N19780
ISO/IEC JTC 1/SC 27 N13432 ISO/IEC JTC 1/SC 27 Information technology - Security techniques Secretariat: DIN, Germany SD12 REPLACES: N19780 DOC TYPE: TITLE: Standing document ISO/IEC JTC 1/SC 27 Standing
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationThe Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold
The Essentials Series PCI Compliance sponsored by by Rebecca Herold Using PCI DSS Compliant Log Management to Identify Attacks from Outside the Enterprise...1 Outside Attacks Impact Business...1 PCI DSS
More informationEnhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation
Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation 1 Agenda EPID overview EPID usages Device Authentication Government Issued ID EPID performance and standardization efforts 2
More informationEstablishing a Data-Centric Approach to Encryption
Establishing a Data-Centric Approach to Encryption Marcia Kaufman, COO and Principal Analyst Sponsored by Voltage Security Voltage Security: Many data breaches occur at companies that already have a data
More informationLecture 6 - Cryptography
Lecture 6 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 Question 2 Setup: Assume you and I don t know anything about
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationPCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
More informationA Secure RFID Ticket System For Public Transport
A Secure RFID Ticket System For Public Transport Kun Peng and Feng Bao Institute for Infocomm Research, Singapore Abstract. A secure RFID ticket system for public transport is proposed in this paper. It
More informationThe Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) Conception - Why A New Cipher? Conception - Why A New Cipher? DES had outlived its usefulness Vulnerabilities were becoming known 56-bit key was too small Too slow
More informationChapter 1: Introduction
Chapter 1 Introduction 1 Chapter 1: Introduction 1.1 Inspiration Cloud Computing Inspired by the cloud computing characteristics like pay per use, rapid elasticity, scalable, on demand self service, secure
More informationSecurity in Near Field Communication (NFC)
Security in Near Field Communication (NFC) Strengths and Weaknesses Ernst Haselsteiner and Klemens Breitfuß Philips Semiconductors Mikronweg 1, 8101 Gratkorn, Austria ernst.haselsteiner@philips.com klemens.breitfuss@philips.com
More informationOPENID AUTHENTICATION SECURITY
OPENID AUTHENTICATION SECURITY Erik Lagercrantz and Patrik Sternudd Uppsala, May 17 2009 1 ABSTRACT This documents gives an introduction to OpenID, which is a system for centralised online authentication.
More informationPCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
More informationAuthentication requirement Authentication function MAC Hash function Security of
UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy
More informationSplit Based Encryption in Secure File Transfer
Split Based Encryption in Secure File Transfer Parul Rathor, Rohit Sehgal Assistant Professor, Dept. of CSE, IET, Nagpur University, India Assistant Professor, Dept. of CSE, IET, Alwar, Rajasthan Technical
More informationEnhancing Organizational Security Through the Use of Virtual Smart Cards
Enhancing Organizational Security Through the Use of Virtual Smart Cards Today s organizations, both large and small, are faced with the challenging task of securing a seemingly borderless domain of company
More informationEffective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2
Effective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2 Research Student, Bharti Vidyapeeth, Pune, India sd_patil057@rediffmail.com Modern College of Engineering,
More informationAuthenticity of Public Keys
SSL/TLS EJ Jung 10/18/10 Authenticity of Public Keys Bob s key? private key Bob public key Problem: How does know that the public key she received is really Bob s public key? Distribution of Public Keys!
More informationChapter 16: Authentication in Distributed System
Chapter 16: Authentication in Distributed System Ajay Kshemkalyani and Mukesh Singhal Distributed Computing: Principles, Algorithms, and Systems Cambridge University Press A. Kshemkalyani and M. Singhal
More informationLecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay
Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems Up to this point, we have mainly seen how ciphers are implemented. We
More informationCSE/EE 461 Lecture 23
CSE/EE 461 Lecture 23 Network Security David Wetherall djw@cs.washington.edu Last Time Naming Application Presentation How do we name hosts etc.? Session Transport Network Domain Name System (DNS) Data
More informationThe science of encryption: prime numbers and mod n arithmetic
The science of encryption: prime numbers and mod n arithmetic Go check your e-mail. You ll notice that the webpage address starts with https://. The s at the end stands for secure meaning that a process
More informationPrivyLink Cryptographic Key Server *
WHITE PAPER PrivyLink Cryptographic Key * Tamper Resistant Protection of Key Information Assets for Preserving and Delivering End-to-End Trust and Values in e-businesses September 2003 E-commerce technology
More informationAn Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography
ROMANIAN JOURNAL OF INFORMATION SCIENCE AND TECHNOLOGY Volume 16, Number 4, 2013, 324 335 An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography
More informationChapter 7 Transport-Level Security
Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell
More informationA Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags
A Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags Sarah Abughazalah, Konstantinos Markantonakis, and Keith Mayes Smart Card Centre-Information Security Group (SCC-ISG) Royal Holloway,
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,
More information